FindBugs

FindBugs is written in Java, distributed under LGPL and although not focused on security vulnerabilities, it does find quite a few of those. It is available both as a standalone application and as an Eclipse plugin.

  • Typical error types found:
    • Risks of SQL Injection, Code Injection, …
    • General Bad practices
    • Exceptional return values not checked
    • Hard coded database passwords
    • Customizable rulesets

Standalone Application

Installation

The following is valid as of Jan 29th 2010, for the current version of FindBugs (1.3.9).

wget http://switch.dl.sourceforge.net/project/findbugs/findbugs/1.3.9/findbugs-1.3.9.tar.gz
tar xfz findbugs-1.3.9.tar.gz
Usage

The standalone version of FindBugs can be started with the following command (from the directory where you installed it):

Unix
bin/findbugs
Windows
bin\findbugs.bat

Once it is started, you should configure an analysis project:

  • Select the File > New Project menu option (Ctrl+N works as well)
  • Give the project a name
  • Add the location of the classes to be analyzed to the corresponding list. (typically your bin or class folder, or a jar file.)
  • (Optional) To improve FindBugs understanding of your code, you can add the required libraries to the next list (all jars have to be added, including the lib folder containing the jars is not sufficient)!
  • (Optional) For better identification of the errors and to be able to get the line numbers and code extracts for the reported vulnerabilities, add the root of your source directory to the last list.

NOTE: To the best of our knowledge, the Wizard for the project creation isn't fully functional, the above steps are recommended instead.

You can then save the project configuration and analysis results for later use or evolution analysis.

Configuration

In the stand-alone version you can change the configuration via filters (Preferences → Filters) to hide those issues which you do not consider relevant to your analysis.

Particular attention should be given to the bugs in the Security or in the Malicious Code Vulnerability categories. Also, the BadUseOfReturnValue detector should be activated.

Eclipse Plugin

Installation

NOTE: The version of Eclipse available on SLC5 is Eclipse 3.2, which not supported by the FindBugs plugin! It requires Eclipse 3.3 (Europa)…

The url for the Eclipse plugin update site is: http://findbugs.cs.umd.edu/eclipse for the official releases. From version 3.4 onwards (Ganymede & Galileo), the plugin installation has been simplified, just go to Help > Install New Software and enter the update site's address. Once the features have been loaded, just select the one you want. (In our case, just check the FindBugs box.)
In version 3.3 (Europa), go to Help → Sofware Updates → Find and Install, then select Search for new features to install. Afterwards, hit the New Remote Site button, enter a name (e.g. FindBugs) and the update site url.

Usage

Once the plugin is installed, you can right click your project and select FindBugs → Find Bugs. This will start the analysis of your source and offer you to switch to the FindBugs perspective.

Configuration

In the Eclipse Plugin, the configuration can be done via Window → Preferences → Java → FindBugs.

False positive ignoring/reporting

Reported potential vulnerabilities can be categorized (e.g. I will fix, not a bug, need further study, etc.) either directly on the stand-alone application or through the Bug User Annotations view in the Eclipse plugin. Analysis results can be saved to an xml file, which can be shared and then loaded by collaborators, including the annotations.